Parameter Name | Required | Service Affecting | Data Type | Default Value | Possible Values | Description |
---|---|---|---|---|---|---|
TunnelActivation | Yes | Yes | Enum | 1 | Possible values:
|
Activates SBC communication with remote IPsec peer by intiating the IKE and IPsec phase negotiations as permanent or on-demand service type.
This parameter is applicable when the "Operating Mode" is set to "Initiator".
|
TunnelName | Yes | Yes | string | none | 64 - Max Length | Specifies the IPsec tunnel name that this IPsec object is associated with. The tunnel name must not contain any space characters. |
OperatingMode | Yes | Yes | Enum | 0 | Possible values:
|
Controls SBC communication with remote peer for IKE negotiations and IPsec connections.
|
allowAnyLocalAddress | Yes | Yes | Enum | 0 | Possible values:
|
|
localAddress | Yes | Yes | string | none | 255 - Max Length | Specifies the IP address or fully-qualified domain name of the local network interface. If "Allow any address" is set True, then it will allow any outgoing address during negotiations. |
allowAnyRemoteAddress | Yes | Yes | Enum | 0 | Possible values:
|
|
remoteAddress | Yes | Yes | string | none | 255 - Max Length | Specifies the IP address or fully-qualified domain name of the remote network interface. If "Allow any address" is set True, then it will allow any incoming address during negotiations. |
localSubnetAddress | Yes | Yes | string | none | 200 - Max Length | Specifies the IP address of the private subnet behind the local network interface. This can be expressed as network/netmask. Maximum of 10 subnets can be specified by separated commas. |
remoteSubnetAddress | Yes | Yes | string | none | 200 - Max Length | Specifies the IP address of the private subnet behind the remote network interface. This can be expressed as network/netmask. Maximum of 10 subnets can be specified by separated commas. |
applyPolicyRules | Yes | No | Enum | 1 | Possible values:
|
|
useSANIdentifier | No | No | Enum | 0 | Possible values:
|
|
localSANIdentifier | Yes | Yes | string | none | 255 - Max Length |
Specifies the configured Subject Alternative Name(SAN) identifier to be sent to the remote gateway for a peer authentication config match.
If "peerAuthIdentifier" on the remote gateway is configured to authenticate a SAN identifier from the peer's certificate, it will attempt
to match its configured SAN identifier with the expected SAN identifier retrieved from the peer authentication config.
If "useSANIdentifier" is set True, the Subject Alternative Name(SAN) identifier must be picked from a list of DNS names displayed under the
local attributes for the 'SBC Certificate'.
This option is available if "UseSANIdentifier" is set to "True". |
peerAuthMode | Yes | Yes | Enum | 0 | Possible values:
| Specifies the authentication method required from the remote side. Certificate authentication mode: Specifies the use of public key signature when authenticating the peer IPsec gateway. The system must contain server certificate/private key, Certificate Authority(CA) which signed the certificate and peers CA for identifying the peer. Preshared Key authentication mode: Specifies the key to be shared with the peer. This key must match the same key configured on the peer system. |
peerAuthIdentifier | Yes | Yes | string | none | 255 - Max Length |
Specifies how the peer should be identified for IKE certificate authentication.
On selection of Certificate as the peer authentication mode, valid identifier should be set to the peer certificate's Subject Alternative Name(SAN) or the peer's subject Distinguished Name (Subject DN).
Alternatively, if SAN or Subject DN is not known, it can be configured for 'any' on the SBC responder-side gateway configured for 'any' remote address.
This option is available if "Peer Authentication Mode" is set to "Certificate". |
remoteIdentifier | Yes | Yes | string | none | 255 - Max Length |
Specifies how the peer should be identified for IKE preshared key authentication.
The identifier selector can be an all host address(0.0.0.0), a specific IP address or a fully-qualified domain name of the remote LAN network interface.
This option is available when "Allow any address" is set "True" and the "Peer Authentication Mode" is set to "Preshared Key". |
EncryptedPresharedKey | Yes | Yes | string | none | 256 - Max Length |
Specifies the secret value which is shared with the peer.
On selection of Preshared Key as the peer authentication mode, the secret value can be a pass-phrase or hex string.
This key must match the key configured on the peer system.
This option is available if "Peer Authentication Mode" is set to "Preshared Key". |
encryption | Yes | No | Enum | 1 | Possible values:
| The Internet Key Exchange(IKE) protocol establishes a secure channel for IKE Phase 1 protected authentication and IPsec Phase 2 traffic protection with the Encapsulating Security Payload(ESP) protocol using the encryption algorithm to provide data confidentiality. |
integrity | Yes | No | Enum | 0 | Possible values:
| The Internet Key Exchange(IKE) protocol establishes a secure channel for IKE Phase 1 protected authentication and IPsec Phase 2 traffic protection with the Encapsulating Security Payload(ESP) protocol using the hash algorithm to provide integrity. |
dhgroup | Yes | No | Enum | 3 | Possible values:
| The Internet Key Exchange(IKE) protocol establishes a secure channel for IKE Phase 1 protected authentication and IPsec Phase 2 traffic protection with the Encapsulating Security Payload(ESP) protocol using the encryption algorithm to provide authenticity. |
enablePFS | Yes | No | Enum | 1 | Possible values:
| If enabled, a new ISAKMP SA is created for each IPsec SA negotiation and a Diffie-Hellman exchange is performed for each IPsec SA negotiation. True: signifies that DH Group is defined by the Phase 2 Diffie-Hellman Group parameter. False: signifies that Phase 2 DH Group will automatically not be specified and exchanged for IPsec Phase 2 negotiations. |
enableRekeying | Yes | No | Enum | 0 | Possible values:
| True: Initiate SA Negotiation upon connection expiry. Applies to both IKE SA and IPsec SA. False: SA Negotiation is not initiated upon connection expiry. |
enableReauthentication | Yes | No | Enum | 0 | Possible values:
|
|
keyingRetries | Yes | No | int | 3 | Possible values:
| Specifies how many attempts should be made to negotiate a connection. This parameter applies to both IKE SA and IPsec SA. |
ikeLifetime | Yes | No | int | 10800 | Possible values:
| Specifies the life time of IKE SA connection, from successful negotiation to expiry. |
ipsecLifetime | Yes | No | int | 3600 | Possible values:
| Specifies the life time of IPsec SA connection, from successful negotiation to expiry. |
marginTime | Yes | No | int | 600 | Possible values:
| Time before SA expiry the rekeying should start. Applies to both IKE SA and IPsec SA. |